The Jetty web server has a Java Password class that allows the obfuscation of plain text and to reverse that obfuscation. This is especially useful when configuring features, like SSL, that require placing passwords in configuration files. Without obfuscating them, they will be entered as plain text.

Obfuscation simply makes it more difficult for a person to read a text string that has been obfuscated.

Before you start, you'll need:

In my examples I'm using Jetty 9.4 and Java 1.8.

Obfuscation

The Password class is part of the lib/jetty-util-[VERSION_NUMBER].jar. To obfuscate a password, use the following command.

java -cp jetty-util-[VERSION_NUMBER].jar org.eclipse.jetty.util.security.Password [PASSWORD]
  • The [VERSION_NUMBER] will be specific to the version of Jetty you're using. Verify the file name that came with your version of Jetty.
  • The [PASSWORD] is your plain text password that you want obfuscated.

Example

$ java -cp jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password SecretPassword123
2017-08-15 18:44:13.036:INFO::main: Logging initialized @148ms to org.eclipse.jetty.util.log.StdErrLog
SecretPassword123
OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn
MD5:512d9845442e46f891bafc22f06b171e

In this example, my [VERSION_NUMBER] is 9.4.6.v20170531 and my [PASSWORD] is SecretPassword123. The class return data is:

  • Plain text password is SecretPassword123
  • Obfuscated password is OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn
  • MD5 is MD5:512d9845442e46f891bafc22f06b171e

The obfuscated password can be used in Jetty's configuration files where needed. When using the obfuscated password, make sure to include the OBF: prefix.

Reverse Obfuscation

The Password class makes reversing obfuscation easy. The process is the same as obfuscating plain text, except you pass in the obfuscated password to the Password class as depicted below.

java -cp jetty-util-[VERSION_NUMBER].jar org.eclipse.jetty.util.security.Password [OBF:PASSWORD]

Example

$ java -cp jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn
2017-08-15 18:45:48.165:INFO::main: Logging initialized @134ms to org.eclipse.jetty.util.log.StdErrLog
SecretPassword123
OBF:1fof1j1u1igh1vgt1vn61y101sgo1v1p1ym71v2p1siu1y0q1vnw1vg11idp1iz01fmn
MD5:f8ad4d396e4cc2eb2955d3911eb14cb9

Notice the [OBF:PASSWORD] is equal to the obfuscated password from the previous return data. The class will detect the password starts with OBF: and utilize methods to reverse the obfuscation. The return data is the same as before, except this time we're interested in the plain text version of the password SecretPassword123.

I've found this useful when working with SSL keystores that I don't have the keystore password. I can take the obfuscated password set in the Jetty configuration files and use the Password class to obtain the password.

Resources